In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems.
Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021.
Boasting of information harvesting and backdoor capabilities, the .NET-based malware has been linked to at least three different attack waves in 2021. The first set, reported in April, took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim's machines.
Then in August, the malware was observed targeting healthcare and education sectors with the goal of gathering credentials and sensitive information. Subsequent infection chains documented by Morphisec in September 2021 highlighted the use of MSI installers to ensure the delivery of the malware.
The SolarMarker modus operandi commences with redirecting victims to decoy sites that drop the MSI installer payloads, which, while executing seemingly legitimate install programs such as Adobe Acrobat Pro DC, Wondershare PDFelement, or Nitro Pro, also launches a PowerShell script to deploy the malware.
"These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted," Sophos researchers Gabor Szappanos and Sean Gallagher said in a report shared with The Hacker News.
The PowerShell installer is designed to alter the Windows Registry and drop a .LNK file into Windows' startup directory to establish persistence. This unauthorized change results in the malware getting loaded from an encrypted payload hidden amongst what the researchers called a "smokescreen" of 100 to 300 junk files created specifically for this purpose.
"Normally, one would expect this linked file to be an executable or script file," the researchers detailed. "But for these SolarMarker campaigns the linked file is one of the random junk files, and cannot be executed itself."
What's more, the unique and random file extension used for the linked junk file is utilized to create a custom file type key, which is ultimately employed to execute the malware during system startup by running a PowerShell command from the Registry.
The backdoor, for its part, is ever-evolving, featuring an array of functionalities that allow it to steal information from web browsers, facilitate cryptocurrency theft, and execute arbitrary commands and binaries, the results of which are exfiltrated back to a remote server.
"Another important takeaway […], which was also seen in the ProxyLogon vulnerabilities targeting Exchange servers, is that defenders should always check whether attackers have left something behind in the network that they can return to later," Gallagher said. "For ProxyLogon this was web shells, for SolarMarker this is a stealthy and persistent backdoor that according to Sophos telematics is still active months after the campaign ended."
Related posts
- Hacking Tools 2019
- Hacking Tools For Beginners
- Hacking Tools For Pc
- Github Hacking Tools
- Hacker Tools Apk Download
- Hack Tools
- Nsa Hack Tools
- Hacking Tools Name
- Hack Tools For Ubuntu
- Easy Hack Tools
- Pentest Tools For Ubuntu
- Hacking Tools For Mac
- Tools For Hacker
- Hacker Tools List
- Hacking Apps
- Hacking Tools For Mac
- Usb Pentest Tools
- Hacking Tools
- Hacker Tools Apk Download
- How To Hack
- Computer Hacker
- Hack Tools For Games
- Pentest Tools
- Physical Pentest Tools
- Hacker Tools For Pc
- Hack Tools Pc
- Pentest Tools Download
- Github Hacking Tools
- Hacker Tools 2020
- Pentest Automation Tools
- Hackers Toolbox
- Pentest Tools Apk
- Hack Tools For Games
- Hacking Tools Windows 10
- Hackrf Tools
- Hack App
- Github Hacking Tools
- What Are Hacking Tools
- Game Hacking
- Hacking Tools Windows
- Hacker Tools
- New Hack Tools
- Install Pentest Tools Ubuntu
- Pentest Tools Review
- Tools For Hacker
- Hacker Security Tools
- Bluetooth Hacking Tools Kali
- Underground Hacker Sites
- Blackhat Hacker Tools
- Hacker Tools List
- Pentest Recon Tools
- Usb Pentest Tools
- Hacker Tools For Mac
- Ethical Hacker Tools
- Hack Tools
- Hack Tools For Windows
- Hacking Tools Name
- Hack Tools Mac
- Hacker Tools Apk
- Pentest Tools Website
- Hacking Tools For Kali Linux
- Hacker Tools Windows
- Nsa Hacker Tools
- Hacks And Tools
- Hacker Tools For Windows
- Pentest Tools Online
- Hacker Tools Windows
- Hacker Tools 2019
- Hacker Tool Kit
- Hacker Tools Hardware
- Hack Tools Github
- Hacking Tools For Pc
- How To Install Pentest Tools In Ubuntu
- Hack Website Online Tool
- Hacking Tools Kit
- Pentest Tools Apk
- Tools For Hacker
- Hack Tool Apk No Root
- Pentest Tools
- Hack Tool Apk No Root
- Kik Hack Tools
- Hacker Security Tools
- Hacker Tools Free
- Hacking Tools Online
- Pentest Tools Url Fuzzer
- Pentest Tools List
- Hacker Hardware Tools
- Best Pentesting Tools 2018
- Hacking Tools 2020
- Best Hacking Tools 2019
- Hacker Tools Apk Download
- Hacking Tools Online
- Bluetooth Hacking Tools Kali
- Hack Tools
- How To Install Pentest Tools In Ubuntu
- Bluetooth Hacking Tools Kali
- Android Hack Tools Github
- Pentest Tools For Windows
- Growth Hacker Tools
- Pentest Tools For Windows
- Hacker Tools 2019
- Hacker Security Tools
- New Hack Tools
- Pentest Tools For Windows
- Hacker
- Pentest Tools Port Scanner
- Hack Rom Tools
- Pentest Tools Framework
- Hacker Tools Free Download
- Hacker Security Tools
- Hacking Tools
- Pentest Tools Website Vulnerability
- Pentest Tools Open Source
- Hacking Tools 2019
- Pentest Tools List
No comments:
Post a Comment